Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(183)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/http_security_headers_unittest.cc

Issue 1211363005: Parse HPKP report-uri and persist in TransportSecurityPersister (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: minor cleanup Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/http/http_security_headers.cc ('K') | « net/http/http_security_headers.cc ('k') | net/http/transport_security_persister.cc » ('j') | net/http/transport_security_persister_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <stdint.h> 5 #include <stdint.h>
6 #include <algorithm> 6 #include <algorithm>
7 7
8 #include "base/base64.h" 8 #include "base/base64.h"
9 #include "base/sha1.h" 9 #include "base/sha1.h"
10 #include "base/strings/string_piece.h" 10 #include "base/strings/string_piece.h"
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after
145 // values for its predictable fields. 145 // values for its predictable fields.
146 EXPECT_EQ(0, max_age.InSeconds()); 146 EXPECT_EQ(0, max_age.InSeconds());
147 EXPECT_FALSE(include_subdomains); 147 EXPECT_FALSE(include_subdomains);
148 } 148 }
149 149
150 static void TestBogusPinsHeaders(HashValueTag tag) { 150 static void TestBogusPinsHeaders(HashValueTag tag) {
151 base::TimeDelta max_age; 151 base::TimeDelta max_age;
152 bool include_subdomains; 152 bool include_subdomains;
153 HashValueVector hashes; 153 HashValueVector hashes;
154 HashValueVector chain_hashes; 154 HashValueVector chain_hashes;
155 std::string report_uri;
155 156
156 // Set some fake "chain" hashes 157 // Set some fake "chain" hashes
157 chain_hashes.push_back(GetTestHashValue(1, tag)); 158 chain_hashes.push_back(GetTestHashValue(1, tag));
158 chain_hashes.push_back(GetTestHashValue(2, tag)); 159 chain_hashes.push_back(GetTestHashValue(2, tag));
159 chain_hashes.push_back(GetTestHashValue(3, tag)); 160 chain_hashes.push_back(GetTestHashValue(3, tag));
160 161
161 // The good pin must be in the chain, the backup pin must not be 162 // The good pin must be in the chain, the backup pin must not be
162 std::string good_pin = GetTestPin(2, tag); 163 std::string good_pin = GetTestPin(2, tag);
163 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); 164 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag);
164 std::string backup_pin = GetTestPin(4, tag); 165 std::string backup_pin = GetTestPin(4, tag);
165 166
166 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, 167 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age,
167 &include_subdomains, &hashes)); 168 &include_subdomains, &hashes, &report_uri));
168 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, 169 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age,
169 &include_subdomains, &hashes)); 170 &include_subdomains, &hashes, &report_uri));
170 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, 171 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age,
171 &include_subdomains, &hashes)); 172 &include_subdomains, &hashes, &report_uri));
172 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, 173 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age,
173 &include_subdomains, &hashes)); 174 &include_subdomains, &hashes, &report_uri));
174 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, 175 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age,
175 &include_subdomains, &hashes)); 176 &include_subdomains, &hashes, &report_uri));
176 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, 177 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age,
177 &include_subdomains, &hashes)); 178 &include_subdomains, &hashes, &report_uri));
178 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, 179 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age,
179 &include_subdomains, &hashes)); 180 &include_subdomains, &hashes, &report_uri));
180 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, 181 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age,
181 &include_subdomains, &hashes)); 182 &include_subdomains, &hashes, &report_uri));
182 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, 183 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age,
183 &include_subdomains, &hashes)); 184 &include_subdomains, &hashes, &report_uri));
184 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, 185 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age,
185 &include_subdomains, &hashes)); 186 &include_subdomains, &hashes, &report_uri));
186 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, 187 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age,
187 &include_subdomains, &hashes)); 188 &include_subdomains, &hashes, &report_uri));
188 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, 189 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age,
189 &include_subdomains, &hashes)); 190 &include_subdomains, &hashes, &report_uri));
190 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, 191 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, &max_age,
191 &max_age, &include_subdomains, &hashes)); 192 &include_subdomains, &hashes, &report_uri));
192 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, 193 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, &max_age,
193 &max_age, &include_subdomains, &hashes)); 194 &include_subdomains, &hashes, &report_uri));
194 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", 195 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", chain_hashes,
196 &max_age, &include_subdomains, &hashes,
197 &report_uri));
198 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age,
199 &include_subdomains, &hashes, &report_uri));
200 EXPECT_FALSE(ParseHPKPHeader(
201 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes,
202 &max_age, &include_subdomains, &hashes, &report_uri));
203 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;pins=" + good_pin + "," +
204 backup_pin + "report-uri=\"http://foo.com\"",
195 chain_hashes, &max_age, &include_subdomains, 205 chain_hashes, &max_age, &include_subdomains,
196 &hashes)); 206 &hashes, &report_uri));
197 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, 207 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes,
198 &max_age, &include_subdomains, &hashes)); 208 &max_age, &include_subdomains, &hashes,
199 EXPECT_FALSE(ParseHPKPHeader("max-ag=3488923pins=" + good_pin + "," + 209 &report_uri));
200 backup_pin, 210 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes,
211 &max_age, &include_subdomains, &hashes,
212 &report_uri));
213 EXPECT_FALSE(ParseHPKPHeader(
214 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes,
215 &max_age, &include_subdomains, &hashes, &report_uri));
216 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + good_pin,
201 chain_hashes, &max_age, &include_subdomains, 217 chain_hashes, &max_age, &include_subdomains,
202 &hashes)); 218 &hashes, &report_uri));
203 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, 219 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes,
204 chain_hashes, &max_age, &include_subdomains, 220 &max_age, &include_subdomains, &hashes,
205 &hashes)); 221 &report_uri));
206 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin,
207 chain_hashes, &max_age, &include_subdomains,
208 &hashes));
209 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin + ";" +
210 backup_pin,
211 chain_hashes, &max_age, &include_subdomains,
212 &hashes));
213 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" +
214 good_pin,
215 chain_hashes, &max_age, &include_subdomains,
216 &hashes));
217 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin,
218 chain_hashes, &max_age, &include_subdomains,
219 &hashes));
220 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, 222 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age,
221 &include_subdomains, &hashes)); 223 &include_subdomains, &hashes, &report_uri));
222 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, 224 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age,
223 &include_subdomains, &hashes)); 225 &include_subdomains, &hashes, &report_uri));
224 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, 226 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age,
225 &include_subdomains, &hashes)); 227 &include_subdomains, &hashes, &report_uri));
226 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, 228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age,
227 &include_subdomains, &hashes)); 229 &include_subdomains, &hashes, &report_uri));
228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, 230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, &max_age,
229 &max_age, &include_subdomains, &hashes)); 231 &include_subdomains, &hashes, &report_uri));
230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", 232 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain",
231 chain_hashes, &max_age, &include_subdomains, 233 chain_hashes, &max_age, &include_subdomains,
232 &hashes)); 234 &hashes, &report_uri));
235 EXPECT_FALSE(ParseHPKPHeader(
236 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes,
237 &max_age, &include_subdomains, &hashes, &report_uri));
233 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, 238 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age,
234 &include_subdomains, &hashes)); 239 &include_subdomains, &hashes, &report_uri));
235 EXPECT_FALSE( 240 EXPECT_FALSE(ParseHPKPHeader(
236 ParseHPKPHeader("max-age=243; " + good_pin_unquoted + ";" + backup_pin, 241 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes,
237 chain_hashes, &max_age, &include_subdomains, &hashes)); 242 &max_age, &include_subdomains, &hashes, &report_uri));
243 EXPECT_FALSE(ParseHPKPHeader(
244 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;",
245 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
246 EXPECT_FALSE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin +
247 ";report-uri=http://foo.com;",
248 chain_hashes, &max_age, &include_subdomains,
249 &hashes, &report_uri));
250 EXPECT_FALSE(ParseHPKPHeader(
251 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''",
252 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
238 253
239 // Check the out args were not updated by checking the default 254 // Check the out args were not updated by checking the default
240 // values for its predictable fields. 255 // values for its predictable fields.
241 EXPECT_EQ(0, max_age.InSeconds()); 256 EXPECT_EQ(0, max_age.InSeconds());
242 EXPECT_EQ(hashes.size(), (size_t)0); 257 EXPECT_EQ(hashes.size(), (size_t)0);
243 } 258 }
244 259
245 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { 260 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) {
246 base::TimeDelta max_age; 261 base::TimeDelta max_age;
247 base::TimeDelta expect_max_age; 262 base::TimeDelta expect_max_age;
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after
398 EXPECT_EQ(expect_max_age, max_age); 413 EXPECT_EQ(expect_max_age, max_age);
399 EXPECT_TRUE(include_subdomains); 414 EXPECT_TRUE(include_subdomains);
400 } 415 }
401 416
402 static void TestValidPKPHeaders(HashValueTag tag) { 417 static void TestValidPKPHeaders(HashValueTag tag) {
403 base::TimeDelta max_age; 418 base::TimeDelta max_age;
404 base::TimeDelta expect_max_age; 419 base::TimeDelta expect_max_age;
405 bool include_subdomains; 420 bool include_subdomains;
406 HashValueVector hashes; 421 HashValueVector hashes;
407 HashValueVector chain_hashes; 422 HashValueVector chain_hashes;
423 std::string expect_report_uri;
424 std::string report_uri;
408 425
409 // Set some fake "chain" hashes into chain_hashes 426 // Set some fake "chain" hashes into chain_hashes
410 chain_hashes.push_back(GetTestHashValue(1, tag)); 427 chain_hashes.push_back(GetTestHashValue(1, tag));
411 chain_hashes.push_back(GetTestHashValue(2, tag)); 428 chain_hashes.push_back(GetTestHashValue(2, tag));
412 chain_hashes.push_back(GetTestHashValue(3, tag)); 429 chain_hashes.push_back(GetTestHashValue(3, tag));
413 430
414 // The good pin must be in the chain, the backup pin must not be 431 // The good pin must be in the chain, the backup pin must not be
415 std::string good_pin = GetTestPin(2, tag); 432 std::string good_pin = GetTestPin(2, tag);
416 std::string good_pin2 = GetTestPin(3, tag); 433 std::string good_pin2 = GetTestPin(3, tag);
417 std::string backup_pin = GetTestPin(4, tag); 434 std::string backup_pin = GetTestPin(4, tag);
418 435
419 EXPECT_TRUE(ParseHPKPHeader( 436 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin,
420 "max-age=243; " + good_pin + ";" + backup_pin, 437 chain_hashes, &max_age, &include_subdomains,
421 chain_hashes, &max_age, &include_subdomains, &hashes)); 438 &hashes, &report_uri));
422 expect_max_age = base::TimeDelta::FromSeconds(243); 439 expect_max_age = base::TimeDelta::FromSeconds(243);
423 EXPECT_EQ(expect_max_age, max_age); 440 EXPECT_EQ(expect_max_age, max_age);
424 EXPECT_FALSE(include_subdomains); 441 EXPECT_FALSE(include_subdomains);
442 EXPECT_EQ(std::string(), report_uri);
425 443
426 EXPECT_TRUE(ParseHPKPHeader( 444 EXPECT_TRUE(ParseHPKPHeader(
427 " " + good_pin + "; " + backup_pin + " ; Max-agE = 567", 445 "max-age=243; " + good_pin + ";" + backup_pin + "; report-uri= \"/foo\"",
428 chain_hashes, &max_age, &include_subdomains, &hashes)); 446 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
429 expect_max_age = base::TimeDelta::FromSeconds(567); 447 expect_max_age = base::TimeDelta::FromSeconds(243);
448 expect_report_uri = "/foo";
430 EXPECT_EQ(expect_max_age, max_age); 449 EXPECT_EQ(expect_max_age, max_age);
431 EXPECT_FALSE(include_subdomains); 450 EXPECT_FALSE(include_subdomains);
451 EXPECT_EQ(expect_report_uri, report_uri);
432 452
433 EXPECT_TRUE(ParseHPKPHeader( 453 EXPECT_TRUE(ParseHPKPHeader(" " + good_pin + "; " + backup_pin +
434 "includeSubDOMAINS;" + good_pin + ";" + backup_pin + 454 " ; Max-agE = 567; repOrT-URi = \"/foo\"",
435 " ; mAx-aGe = 890 ", 455 chain_hashes, &max_age, &include_subdomains,
436 chain_hashes, &max_age, &include_subdomains, &hashes)); 456 &hashes, &report_uri));
457 expect_max_age = base::TimeDelta::FromSeconds(567);
458 expect_report_uri = "/foo";
459 EXPECT_EQ(expect_max_age, max_age);
460 EXPECT_FALSE(include_subdomains);
461 EXPECT_EQ(expect_report_uri, report_uri);
462
463 EXPECT_TRUE(ParseHPKPHeader("includeSubDOMAINS;" + good_pin + ";" +
464 backup_pin + " ; mAx-aGe = 890 ",
465 chain_hashes, &max_age, &include_subdomains,
466 &hashes, &report_uri));
437 expect_max_age = base::TimeDelta::FromSeconds(890); 467 expect_max_age = base::TimeDelta::FromSeconds(890);
438 EXPECT_EQ(expect_max_age, max_age); 468 EXPECT_EQ(expect_max_age, max_age);
439 EXPECT_TRUE(include_subdomains); 469 EXPECT_TRUE(include_subdomains);
440 470
441 EXPECT_TRUE(ParseHPKPHeader( 471 EXPECT_TRUE(ParseHPKPHeader(
442 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", 472 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes,
443 chain_hashes, &max_age, &include_subdomains, &hashes)); 473 &max_age, &include_subdomains, &hashes, &report_uri));
444 expect_max_age = base::TimeDelta::FromSeconds(123); 474 expect_max_age = base::TimeDelta::FromSeconds(123);
445 EXPECT_EQ(expect_max_age, max_age); 475 EXPECT_EQ(expect_max_age, max_age);
446 EXPECT_FALSE(include_subdomains); 476 EXPECT_FALSE(include_subdomains);
447 477
448 EXPECT_TRUE(ParseHPKPHeader( 478 EXPECT_TRUE(ParseHPKPHeader(
449 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", 479 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes,
450 chain_hashes, &max_age, &include_subdomains, &hashes)); 480 &max_age, &include_subdomains, &hashes, &report_uri));
451 expect_max_age = base::TimeDelta::FromSeconds(394082); 481 expect_max_age = base::TimeDelta::FromSeconds(394082);
452 EXPECT_EQ(expect_max_age, max_age); 482 EXPECT_EQ(expect_max_age, max_age);
453 EXPECT_FALSE(include_subdomains); 483 EXPECT_FALSE(include_subdomains);
454 484
455 EXPECT_TRUE(ParseHPKPHeader( 485 EXPECT_TRUE(ParseHPKPHeader(
456 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", 486 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes,
457 chain_hashes, &max_age, &include_subdomains, &hashes)); 487 &max_age, &include_subdomains, &hashes, &report_uri));
458 expect_max_age = base::TimeDelta::FromSeconds( 488 expect_max_age = base::TimeDelta::FromSeconds(
459 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); 489 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299))));
460 EXPECT_EQ(expect_max_age, max_age); 490 EXPECT_EQ(expect_max_age, max_age);
461 EXPECT_FALSE(include_subdomains); 491 EXPECT_FALSE(include_subdomains);
462 492
463 EXPECT_TRUE(ParseHPKPHeader( 493 EXPECT_TRUE(ParseHPKPHeader(
464 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + 494 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " +
465 good_pin + ";" + backup_pin + "; ", 495 good_pin + ";" + backup_pin + "; ",
466 chain_hashes, &max_age, &include_subdomains, &hashes)); 496 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
467 expect_max_age = base::TimeDelta::FromSeconds( 497 expect_max_age = base::TimeDelta::FromSeconds(
468 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); 498 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038))));
469 EXPECT_EQ(expect_max_age, max_age); 499 EXPECT_EQ(expect_max_age, max_age);
470 EXPECT_TRUE(include_subdomains); 500 EXPECT_TRUE(include_subdomains);
471 501
472 EXPECT_TRUE(ParseHPKPHeader( 502 EXPECT_TRUE(ParseHPKPHeader(" max-age=0 ; " + good_pin + ";" + backup_pin,
473 " max-age=0 ; " + good_pin + ";" + backup_pin, 503 chain_hashes, &max_age, &include_subdomains,
474 chain_hashes, &max_age, &include_subdomains, &hashes)); 504 &hashes, &report_uri));
475 expect_max_age = base::TimeDelta::FromSeconds(0); 505 expect_max_age = base::TimeDelta::FromSeconds(0);
476 EXPECT_EQ(expect_max_age, max_age); 506 EXPECT_EQ(expect_max_age, max_age);
477 EXPECT_FALSE(include_subdomains); 507 EXPECT_FALSE(include_subdomains);
478 508
479 EXPECT_TRUE(ParseHPKPHeader( 509 EXPECT_TRUE(ParseHPKPHeader(
480 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, 510 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin,
481 chain_hashes, &max_age, &include_subdomains, &hashes)); 511 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
482 expect_max_age = base::TimeDelta::FromSeconds(0); 512 expect_max_age = base::TimeDelta::FromSeconds(0);
483 EXPECT_EQ(expect_max_age, max_age); 513 EXPECT_EQ(expect_max_age, max_age);
484 EXPECT_TRUE(include_subdomains); 514 EXPECT_TRUE(include_subdomains);
485 515
486 EXPECT_TRUE(ParseHPKPHeader( 516 EXPECT_TRUE(ParseHPKPHeader(
487 " max-age=999999999999999999999999999999999999999999999 ; " + 517 " max-age=999999999999999999999999999999999999999999999 ; " +
488 backup_pin + ";" + good_pin + "; ", 518 backup_pin + ";" + good_pin + "; ",
489 chain_hashes, &max_age, &include_subdomains, &hashes)); 519 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
490 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); 520 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);
491 EXPECT_EQ(expect_max_age, max_age); 521 EXPECT_EQ(expect_max_age, max_age);
492 EXPECT_FALSE(include_subdomains); 522 EXPECT_FALSE(include_subdomains);
493 523
524 EXPECT_TRUE(ParseHPKPHeader(
525 " max-age=999999999999999999999999999999999999999999999 ; " +
526 backup_pin + ";" + good_pin + "; report-uri=\"/foo\"",
Ryan Sleevi 2015/06/26 19:41:52 Suggestion: include a quoted URL with a ";", to ma
Ryan Sleevi 2015/06/26 19:41:52 Suggestion: Also include a > 0x7F character, which
Ryan Sleevi 2015/06/26 19:41:52 Suggestion: Also include a report-uri with an enco
estark 2015/06/26 22:42:11 Done.
estark 2015/06/26 22:42:11 I'm actually not sure what we should be doing with
estark 2015/06/26 22:42:11 Done. (It in fact wasn't tokenizing properly!)
Ryan Sleevi 2015/06/27 12:13:59 HttpUtil::Unquote handles unescaping
527 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
528 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);
529 expect_report_uri = "/foo";
530 EXPECT_EQ(expect_max_age, max_age);
531 EXPECT_FALSE(include_subdomains);
532 EXPECT_EQ(expect_report_uri, report_uri);
533
494 // Test that parsing a different header resets the hashes. 534 // Test that parsing a different header resets the hashes.
495 hashes.clear(); 535 hashes.clear();
496 EXPECT_TRUE(ParseHPKPHeader( 536 EXPECT_TRUE(ParseHPKPHeader(
497 " max-age=999; " + 537 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes,
498 backup_pin + ";" + good_pin + "; ", 538 &max_age, &include_subdomains, &hashes, &report_uri));
499 chain_hashes, &max_age, &include_subdomains, &hashes));
500 EXPECT_EQ(2u, hashes.size()); 539 EXPECT_EQ(2u, hashes.size());
501 EXPECT_TRUE(ParseHPKPHeader( 540 EXPECT_TRUE(ParseHPKPHeader(
502 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, 541 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes,
503 &max_age, &include_subdomains, &hashes)); 542 &max_age, &include_subdomains, &hashes, &report_uri));
504 EXPECT_EQ(2u, hashes.size()); 543 EXPECT_EQ(2u, hashes.size());
505 } 544 }
506 545
507 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { 546 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) {
508 TestBogusPinsHeaders(HASH_VALUE_SHA1); 547 TestBogusPinsHeaders(HASH_VALUE_SHA1);
509 } 548 }
510 549
511 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { 550 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) {
512 TestBogusPinsHeaders(HASH_VALUE_SHA256); 551 TestBogusPinsHeaders(HASH_VALUE_SHA256);
513 } 552 }
(...skipping 16 matching lines...) Expand all
530 EXPECT_TRUE( 569 EXPECT_TRUE(
531 state.GetStaticDomainState(domain, &static_domain_state)); 570 state.GetStaticDomainState(domain, &static_domain_state));
532 EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL); 571 EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL);
533 HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes; 572 HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes;
534 573
535 // Add a header, which should only update the dynamic state. 574 // Add a header, which should only update the dynamic state.
536 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); 575 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
537 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1); 576 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1);
538 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); 577 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
539 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); 578 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
540 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin; 579 std::string report_uri = "http://google.com";
580 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin +
581 ";report-uri=\"" + report_uri + "\"";
541 582
542 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. 583 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks.
543 SSLInfo ssl_info; 584 SSLInfo ssl_info;
544 ssl_info.public_key_hashes.push_back(good_hash); 585 ssl_info.public_key_hashes.push_back(good_hash);
545 ssl_info.public_key_hashes.push_back(saved_hashes[0]); 586 ssl_info.public_key_hashes.push_back(saved_hashes[0]);
546 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); 587 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
547 588
548 // Expect the static state to remain unchanged. 589 // Expect the static state to remain unchanged.
549 TransportSecurityState::DomainState new_static_domain_state; 590 TransportSecurityState::DomainState new_static_domain_state;
550 EXPECT_TRUE(state.GetStaticDomainState( 591 EXPECT_TRUE(state.GetStaticDomainState(
551 domain, &new_static_domain_state)); 592 domain, &new_static_domain_state));
552 for (size_t i = 0; i < saved_hashes.size(); ++i) { 593 for (size_t i = 0; i < saved_hashes.size(); ++i) {
553 EXPECT_TRUE(HashValuesEqual(saved_hashes[i])( 594 EXPECT_TRUE(HashValuesEqual(saved_hashes[i])(
554 new_static_domain_state.pkp.spki_hashes[i])); 595 new_static_domain_state.pkp.spki_hashes[i]));
555 } 596 }
556 597
557 // Expect the dynamic state to reflect the header. 598 // Expect the dynamic state to reflect the header.
558 TransportSecurityState::DomainState dynamic_domain_state; 599 TransportSecurityState::DomainState dynamic_domain_state;
559 EXPECT_TRUE(state.GetDynamicDomainState(domain, &dynamic_domain_state)); 600 EXPECT_TRUE(state.GetDynamicDomainState(domain, &dynamic_domain_state));
560 EXPECT_EQ(2UL, dynamic_domain_state.pkp.spki_hashes.size()); 601 EXPECT_EQ(2UL, dynamic_domain_state.pkp.spki_hashes.size());
602 EXPECT_EQ(report_uri, dynamic_domain_state.pkp.report_uri);
561 603
562 HashValueVector::const_iterator hash = 604 HashValueVector::const_iterator hash =
563 std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), 605 std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(),
564 dynamic_domain_state.pkp.spki_hashes.end(), 606 dynamic_domain_state.pkp.spki_hashes.end(),
565 HashValuesEqual(good_hash)); 607 HashValuesEqual(good_hash));
566 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); 608 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash);
567 609
568 hash = std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), 610 hash = std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(),
569 dynamic_domain_state.pkp.spki_hashes.end(), 611 dynamic_domain_state.pkp.spki_hashes.end(),
570 HashValuesEqual(backup_hash)); 612 HashValuesEqual(backup_hash));
571 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); 613 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash);
572 614
573 // Expect the overall state to reflect the header, too. 615 // Expect the overall state to reflect the header, too.
574 EXPECT_TRUE(state.HasPublicKeyPins(domain)); 616 EXPECT_TRUE(state.HasPublicKeyPins(domain));
575 HashValueVector hashes; 617 HashValueVector hashes;
576 hashes.push_back(good_hash); 618 hashes.push_back(good_hash);
577 std::string failure_log; 619 std::string failure_log;
578 const bool is_issued_by_known_root = true; 620 const bool is_issued_by_known_root = true;
579 EXPECT_TRUE(state.CheckPublicKeyPins( 621 EXPECT_TRUE(state.CheckPublicKeyPins(
580 domain, is_issued_by_known_root, hashes, &failure_log)); 622 domain, is_issued_by_known_root, hashes, &failure_log));
581 623
582 TransportSecurityState::DomainState new_dynamic_domain_state; 624 TransportSecurityState::DomainState new_dynamic_domain_state;
583 EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state)); 625 EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state));
584 EXPECT_EQ(2UL, new_dynamic_domain_state.pkp.spki_hashes.size()); 626 EXPECT_EQ(2UL, new_dynamic_domain_state.pkp.spki_hashes.size());
627 EXPECT_EQ(report_uri, dynamic_domain_state.pkp.report_uri);
585 628
586 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), 629 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(),
587 new_dynamic_domain_state.pkp.spki_hashes.end(), 630 new_dynamic_domain_state.pkp.spki_hashes.end(),
588 HashValuesEqual(good_hash)); 631 HashValuesEqual(good_hash));
589 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); 632 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash);
590 633
591 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), 634 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(),
592 new_dynamic_domain_state.pkp.spki_hashes.end(), 635 new_dynamic_domain_state.pkp.spki_hashes.end(),
593 HashValuesEqual(backup_hash)); 636 HashValuesEqual(backup_hash));
594 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); 637 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash);
(...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after
761 ssl_info)); 804 ssl_info));
762 805
763 // The old pins must still exist. 806 // The old pins must still exist.
764 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); 807 EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
765 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root, 808 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root,
766 ssl_info.public_key_hashes, 809 ssl_info.public_key_hashes,
767 &failure_log)); 810 &failure_log));
768 } 811 }
769 812
770 }; // namespace net 813 }; // namespace net
OLDNEW
« net/http/http_security_headers.cc ('K') | « net/http/http_security_headers.cc ('k') | net/http/transport_security_persister.cc » ('j') | net/http/transport_security_persister_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698